本文将带您了解关于Android进阶答疑:Hook的新内容,同时我们还将为您解释androidhook技术的相关知识,另外,我们还将为您提供关于和、androdhookacitivity启动流程,替换
本文将带您了解关于Android 进阶答疑:Hook的新内容,同时我们还将为您解释android hook技术的相关知识,另外,我们还将为您提供关于和、androd hook acitivity 启动流程,替换启动的activity(Android Instrumentation)、Android ClassLoader Hook 注入方式、Android Exception Hook的实用信息。
本文目录一览:- Android 进阶答疑:Hook(android hook技术)
- 和
- androd hook acitivity 启动流程,替换启动的activity(Android Instrumentation)
- Android ClassLoader Hook 注入方式
- Android Exception Hook
Android 进阶答疑:Hook(android hook技术)
接下来深海会和大家逐步分享分析Android插件化相关的东西
要了解插件化首先要具备三个前提条件:
1.Android 系统源码阅读于理解
2.Java 反射机制
3.Hook技术
今天咱们就一起分析Hook的相关知识
一.Hook是什么?
在事件执行的过程中截获并监控事件的执行流,将自身的代码融入其执行流中
二.简单举例: Hook 修改 View.OnClickListener 事件
首先阅读系统类View的源码,找到Hook点击事件的关键代码
看点击事件的方法:这边传入的事件赋给了ListenerInfo对象的mOnClickListener接口实例
public void setonClickListener(@Nullable OnClickListener l) {
if (!isClickable()) {
setClickable(true);
}
getListenerInfo().mOnClickListener = l;
}追溯该方法:该方法返回了ListenerInfo对象
@UnsupportedAppUsage
ListenerInfo getListenerInfo() {
if (mListenerInfo != null) {
return mListenerInfo;
}
mListenerInfo = new ListenerInfo();
return mListenerInfo;
}然后整理结构:
得出Hook路线:
1.拿到View对象中的mListenerInfo对象
2.然后拿到mOnClickListener接口实例
3.对该实例进行二次封装后替换该实例
具体实现代码:
/*
*作者:赵星海
*时间:2020/6/23 9:51
*用途:Hook简单举例(View点击事件)
*/
public static void hookOnClickListener(View view) throws Exception {
// 第一步:反射得到 ListenerInfo 对象
Method getListenerInfo = View.class.getDeclaredMethod("getListenerInfo");
getListenerInfo.setAccessible(true);
Object listenerInfo = getListenerInfo.invoke(view);
// 第二步:得到原始的 OnClickListener事件方法
Class<?> listenerInfoClz = Class.forName("android.view.View$ListenerInfo");
Field mOnClickListener = listenerInfoClz.getDeclaredField("mOnClickListener");
mOnClickListener.setAccessible(true);
View.OnClickListener originonClickListener = (View.OnClickListener) mOnClickListener.get(listenerInfo);
// 第三步:用 Hook代理类 替换原始的 OnClickListener
View.OnClickListener hookedOnClickListener = new HookedClickListener(originonClickListener);
mOnClickListener.set(listenerInfo, hookedOnClickListener);
}
public static class HookedClickListener implements View.OnClickListener {
private View.OnClickListener origin;
public HookedClickListener(View.OnClickListener origin) {
this.origin = origin;
}
@Override
public void onClick(View v) {
// Toast.makeText(v.getContext(), "你的点击事件被赵星海劫持了!", Toast.LENGTH_SHORT).show();
if (origin != null) {
origin.onClick(v);
}
}
}好了今天的分享就到这里哦,关于上诉内容,有任何的疑惑或者建议欢迎评论区沟通交流哦~
深海特别愿意和大家一起互相学习互相进步
和
- <!--{hook/global_cpnav_extra1}-->和<!--{hook/global_cpnav_extra2}-->
- <!--{hook/global_cpnav_extra1}-->顶部左边
<!--{hook/global_cpnav_extra2}-->顶部右边 复制代码
androd hook acitivity 启动流程,替换启动的activity(Android Instrumentation)
前言:如果程序想要知道有activity启动,如果想要拦截activity,然后跳转到指定的activity怎么办?
我们看下ActivityThread 里面:
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
// System.out.println("##### [" + System.currentTimeMillis() + "] ActivityThread.performLaunchActivity(" + r + ")");
ActivityInfo aInfo = r.activityInfo;
if (r.packageInfo == null) {
r.packageInfo = getPackageInfo(aInfo.applicationInfo, r.compatInfo,
Context.CONTEXT_INCLUDE_CODE);
}
ComponentName component = r.intent.getComponent();
if (component == null) {
component = r.intent.resolveActivity(
mInitialApplication.getPackageManager());
r.intent.setComponent(component);
}
if (r.activityInfo.targetActivity != null) {
component = new ComponentName(r.activityInfo.packageName,
r.activityInfo.targetActivity);
}
ContextImpl appContext = createBaseContextForActivity(r);
Activity activity = null;
try {
java.lang.ClassLoader cl = appContext.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
StrictMode.incrementExpectedActivityCount(activity.getClass());
r.intent.setExtrasClassLoader(cl);
r.intent.prepareToEnterProcess();
if (r.state != null) {
r.state.setClassLoader(cl);
}
} catch (Exception e) {
if (!mInstrumentation.onException(activity, e)) {
throw new RuntimeException(
"Unable to instantiate activity " + component
+ ": " + e.toString(), e);
}
}
....
if (activity != null) {
CharSequence title = r.activityInfo.loadLabel(appContext.getPackageManager());
Configuration config = new Configuration(mCompatConfiguration);
if (r.overrideConfig != null) {
config.updateFrom(r.overrideConfig);
}
if (DEBUG_CONFIGURATION) Slog.v(TAG, "Launching activity "
+ r.activityInfo.name + " with config " + config);
Window window = null;
if (r.mPendingRemoveWindow != null && r.mPreserveWindow) {
window = r.mPendingRemoveWindow;
r.mPendingRemoveWindow = null;
r.mPendingRemoveWindowManager = null;
}
appContext.setOuterContext(activity);
activity.attach(appContext, this, getInstrumentation(), r.token,
r.ident, app, r.intent, r.activityInfo, title, r.parent,
r.embeddedID, r.lastNonConfigurationInstances, config,
r.referrer, r.voiceInteractor, window, r.configCallback);
if (customIntent != null) {
activity.mIntent = customIntent;
}
可以看到,执行启动activity的时候,
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
StrictMode.incrementExpectedActivityCount(activity.getClass());
那么我们是不是可以在这个时候拦截一下返回的activity呢?
OK,我们继承Instrumentation,并且重写里面的方法。
package com.****r.app;
import android.app.Activity;
import android.app.Instrumentation;
import android.content.Intent;
import com.*****.ActivityAbout;
/**
* =======================================================================================
* 作 者:caoxinyu
* 创建日期:2019/2/19.
* 类的作用:
* 修订历史:
* =======================================================================================
*/
public class MyInstrumentation extends Instrumentation {
private Instrumentation base;
public MyInstrumentation(Instrumentation base) {
this.base = base;
}
@Override
public Activity newActivity(ClassLoader cl, String className, Intent intent) throws InstantiationException, IllegalAccessException, ClassNotFoundException {
try {
//这里需要setExtrasClassLoader 不然的话,getParecleable 对象可能会拿不到
//很多hook Instrumentation的人都不知道。
// 这里try catch 是防止恶意攻击 导致android.os.BadParcelableException: ClassNotFoundException when unmarshalling
intent.setExtrasClassLoader(cl);
intent.getBooleanExtra("a",false);
}catch (Exception e){
}
if (intent.getBooleanExtra("ActivityAbout",false)) {
return super.newActivity(cl, ActivityAbout.class.getName(), intent);
}
return super.newActivity(cl,className, intent);
}
}
那么怎么使我们重写的类生效呢?
package com.***;
import android.app.Instrumentation;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class Hooker {
private static final String TAG = "Hooker";
public static void hookInstrumentation() {
Class<?> activityThread = null;
try {
activityThread = Class.forName("android.app.ActivityThread");
Method sCurrentActivityThread = activityThread.getDeclaredMethod("currentActivityThread");
sCurrentActivityThread.setAccessible(true);
//获取ActivityThread 对象
Object activityThreadObject = sCurrentActivityThread.invoke(activityThread);
//获取 Instrumentation 对象
Field mInstrumentation = activityThread.getDeclaredField("mInstrumentation");
mInstrumentation.setAccessible(true);
Instrumentation instrumentation = (Instrumentation) mInstrumentation.get(activityThreadObject);
MyInstrumentation customInstrumentation = new MyInstrumentation(instrumentation);
//将我们的 customInstrumentation 设置进去
mInstrumentation.set(activityThreadObject, customInstrumentation);
} catch (Exception e) {
e.printStackTrace();
}
}
}
上面这些代码是通过反射,把自己的Instrumentation 设置进去。
然后在程序初始化的时候,调用下面的代码即可。
Hooker.hookInstrumentation();
我们启动一个A activity,如果intent.getBooleanExtra(“ActivityAbout”,false),那么你的A activity 将被拦截成ActivityAbout。
那么还有一个问题,为什么要设置ClassLoader?
intent.setExtrasClassLoader(cl);
因为如果不设置的话,getParecleable 对象可能会拿不到。在8.0以前的手机,直接崩溃:android.os.BadParcelableException: ClassNotFoundException when unmarshalling。在8.0以上的话,系统会catch 住这个崩溃,但是你的数据全都会被清空。
具体分析如下:
简单try catch,在低版本上没有问题。但是在android8.0以上,会有问题。
在Android8.0以上,如果getBooleanExt 方法里面失败了,系统会catch BadParcelableException,并把intent 里面的数据清空。具体可见下面的截图,
这就导致简单try catch 之后的代码,运行在8.0以上手机,收不到intent里面的数据,因为Intent 里面的跳转数据被清空了。
还是要查清楚为什么会出现ClassNotFoundException when unmarshalling
根据源码,在这里getBooleanExt 会出问题是因为系统在这一步还没有设置解析Parcelable 的classLoader。如下图
所以,有问题的代码需要这样改下。
系统是在调用了 mInstrumentation.newActivity之后设置了classLoader r.intent.setExtrasClassLoader(cl), 所以hook 在newActivity 这一步get Parcelable 数据是有问题的。
不然会有下面这种错误:
java.lang.RuntimeException: Unable to instantiate activity ComponentInfo{com.aaa./.WelcomeActivity}: android.os.BadParcelableException: ClassNotFoundException when unmarshalling: com.nearme.mcs.entity.MessageEntity
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2492)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2678)
at android.app.ActivityThread.access$900(ActivityThread.java:187)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1523)
at android.os.Handler.dispatchMessage(Handler.java:111)
at android.os.Looper.loop(Looper.java:210)
at android.app.ActivityThread.main(ActivityThread.java:5809)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1113)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:879)
Caused by: android.os.BadParcelableException: ClassNotFoundException when unmarshalling: com.nearme.mcs.entity.MessageEntity
at android.os.Parcel.readParcelableCreator(Parcel.java:2305)
at android.os.Parcel.readParcelable(Parcel.java:2255)
at android.os.Parcel.readValue(Parcel.java:2162)
at android.os.Parcel.readArrayMapInternal(Parcel.java:2495)
at android.os.BaseBundle.unparcel(BaseBundle.java:221)
at android.os.BaseBundle.getBoolean(BaseBundle.java:658)
at android.content.Intent.getBooleanExtra(Intent.java:5129)
at com.nearme.game.sdk.y.o_a(SourceFile:46)
at com.nearme.game.sdk.y.newActivity(SourceFile:28)
at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2469)
at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2678)
at android.app.ActivityThread.access$900(ActivityThread.java:187)
at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1523)
at android.os.Handler.dispatchMessage(Handler.java:111)
at android.os.Looper.loop(Looper.java:210)
at android.app.ActivityThread.main(ActivityThread.java:5809)
at java.lang.reflect.Method.invoke(Native Method)
at java.lang.reflect.Method.invoke(Method.java:372)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1113)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:879)
加油,自己学会了使用Source Insight 看源码。开始慢慢的去学习技术的原理。加油!
Android ClassLoader Hook 注入方式
最近尝试热修复,反射调用补丁类,发现 android O 的类提前加载了,但没有初始化,所以出现了补丁无法生效的问题,对比一下之前版本,发现 Android 6.0 执行到指定位置才去加载,并且初始化,因此想法去证实这个问题。
一、为什么要注入 ClassLoader?
- 观察 Android 中类的加载时机、类的机制、定为加载问题
- 观察补丁包或者插件加载机制
二、替换方式
默认形式
PathClassloader.parent <- PathClassloader
方案一:
PathClassloader.parent <- Hook ClassLoader <- PathClassloader
这种方案实现比较简单
public class DelegateClassLoader extends PathClassLoader {
private ClassLoader mPathClassLoader;
private DelegateClassLoader(String dexPath,ClassLoader parentClassLoader) {
super(dexPath, parentClassLoader);
mPathClassLoader = getClass().getClassLoader();
}
//PathClassloader.parent <- PathClassloader ====> PathClassloader.parent <- Hook ClassLoader <- PathClassloader
public static synchronized void hook(ClassLoader pathClassLoader) throws NoSuchFieldException, IllegalAccessException {
ClassLoader classLoader = new DelegateClassLoader("",pathClassLoader.getParent());
Field parentField = ClassLoader.class.getDeclaredField("parent");
parentField.setAccessible(true);
parentField.set(pathClassLoader,classLoader);
Thread.currentThread().setContextClassLoader(classLoader);
}
@Override
protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException {
return super.loadClass(name, resolve);
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
return super.findClass(name);
}
}调用方式如下
public class BaseHotfixApplication extends Application {
@Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
try {
DelegateClassLoader.hook(base.getClassLoader());
} catch (NoSuchFieldException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
}
}
@Override
public void onCreate() {
super.onCreate();
}
}
方案二:
PathClassloader.parent <- PathClassloader <- Hook ClassLoader
本方案比较局限,但同样比较流行,来自 Tinker 的方案,本方案是为了解决热修复补丁包在 Android N 以后版本的混编问题
final class NewClassLoaderInjector {
public static ClassLoader inject(Application app, ClassLoader oldClassLoader, File dexOptDir,
boolean useDLC, List<File> patchedDexes) throws Throwable {
final String[] patchedDexPaths = new String[patchedDexes.size()];
for (int i = 0; i < patchedDexPaths.length; ++i) {
patchedDexPaths[i] = patchedDexes.get(i).getAbsolutePath();
}
final ClassLoader newClassLoader = createNewClassLoader(oldClassLoader,
dexOptDir, useDLC, patchedDexPaths);
doInject(app, newClassLoader);
return newClassLoader;
}
public static void triggerDex2Oat(Context context, File dexOptDir, boolean useDLC,
String... dexPaths) throws Throwable {
final ClassLoader triggerClassLoader = createNewClassLoader(context.getClassLoader(), dexOptDir, useDLC, dexPaths);
}
@SuppressWarnings("unchecked")
private static ClassLoader createNewClassLoader(ClassLoader oldClassLoader,
File dexOptDir,
boolean useDLC,
String... patchDexPaths) throws Throwable {
final Field pathListField = findField(
Class.forName("dalvik.system.BaseDexClassLoader", false, oldClassLoader),
"pathList");
final Object oldPathList = pathListField.get(oldClassLoader);
final StringBuilder dexPathBuilder = new StringBuilder();
final boolean hasPatchDexPaths = patchDexPaths != null && patchDexPaths.length > 0;
if (hasPatchDexPaths) {
for (int i = 0; i < patchDexPaths.length; ++i) {
if (i > 0) {
dexPathBuilder.append(File.pathSeparator);
}
dexPathBuilder.append(patchDexPaths[i]);
}
}
final String combinedDexPath = dexPathBuilder.toString();
final Field nativeLibraryDirectoriesField = findField(oldPathList.getClass(), "nativeLibraryDirectories");
List<File> oldNativeLibraryDirectories = null;
if (nativeLibraryDirectoriesField.getType().isArray()) {
oldNativeLibraryDirectories = Arrays.asList((File[]) nativeLibraryDirectoriesField.get(oldPathList));
} else {
oldNativeLibraryDirectories = (List<File>) nativeLibraryDirectoriesField.get(oldPathList);
}
final StringBuilder libraryPathBuilder = new StringBuilder();
boolean isFirstItem = true;
for (File libDir : oldNativeLibraryDirectories) {
if (libDir == null) {
continue;
}
if (isFirstItem) {
isFirstItem = false;
} else {
libraryPathBuilder.append(File.pathSeparator);
}
libraryPathBuilder.append(libDir.getAbsolutePath());
}
final String combinedLibraryPath = libraryPathBuilder.toString();
ClassLoader result = null;
if (useDLC && Build.VERSION.SDK_INT >= 27) {
result = new DelegateLastClassLoader(combinedDexPath, combinedLibraryPath, ClassLoader.getSystemClassLoader());
final Field parentField = ClassLoader.class.getDeclaredField("parent");
parentField.setAccessible(true);
parentField.set(result, oldClassLoader);
} else {
result = new TinkerClassLoader(combinedDexPath, dexOptDir, combinedLibraryPath, oldClassLoader);
}
// ''EnsureSameClassLoader'' mechanism which is first introduced in Android O
// may cause exception if we replace definingContext of old classloader.
if (Build.VERSION.SDK_INT < 26) {
findField(oldPathList.getClass(), "definingContext").set(oldPathList, result);
}
return result;
}
private static void doInject(Application app, ClassLoader classLoader) throws Throwable {
Thread.currentThread().setContextClassLoader(classLoader);
final Context baseContext = (Context) findField(app.getClass(), "mBase").get(app);
try {
findField(baseContext.getClass(), "mClassLoader").set(baseContext, classLoader);
} catch (Throwable ignored) {
// There''s no mClassLoader field in ContextImpl before Android O.
// However we should try our best to replace this field in case some
// customized system has one.
}
final Object basePackageInfo = findField(baseContext.getClass(), "mPackageInfo").get(baseContext);
findField(basePackageInfo.getClass(), "mClassLoader").set(basePackageInfo, classLoader);
if (Build.VERSION.SDK_INT < 27) {
final Resources res = app.getResources();
try {
findField(res.getClass(), "mClassLoader").set(res, classLoader);
final Object drawableInflater = findField(res.getClass(), "mDrawableInflater").get(res);
if (drawableInflater != null) {
findField(drawableInflater.getClass(), "mClassLoader").set(drawableInflater, classLoader);
}
} catch (Throwable ignored) {
// Ignored.
}
}
}
private static Field findField(Class<?> clazz, String name) throws Throwable {
Class<?> currClazz = clazz;
while (true) {
try {
final Field result = currClazz.getDeclaredField(name);
result.setAccessible(true);
return result;
} catch (Throwable ignored) {
if (currClazz == Object.class) {
throw new NoSuchFieldException("Cannot find field "
+ name + " in class " + clazz.getName() + " and its super classes.");
} else {
currClazz = currClazz.getSuperclass();
}
}
}
}
private NewClassLoaderInjector() {
throw new UnsupportedOperationException();
}
}ClassLoader 定义如下
@Keep
@SuppressLint("NewApi")
public final class TinkerClassLoader extends BaseDexClassLoader {
private final ClassLoader mOriginAppClassLoader;
TinkerClassLoader(String dexPath, File optimizedDir, String libraryPath, ClassLoader originAppClassLoader) {
super(dexPath, optimizedDir, libraryPath, ClassLoader.getSystemClassLoader());
mOriginAppClassLoader = originAppClassLoader;
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
Class<?> cl = null;
try {
cl = super.findClass(name);
} catch (ClassNotFoundException ignored) {
cl = null;
}
if (cl != null) {
return cl;
} else {
return mOriginAppClassLoader.loadClass(name);
}
}
@Override
public URL getResource(String name) {
// The lookup order we use here is the same as for classes.
URL resource = Object.class.getClassLoader().getResource(name);
if (resource != null) {
return resource;
}
resource = findResource(name);
if (resource != null) {
return resource;
}
return mOriginAppClassLoader.getResource(name);
}
@Override
public Enumeration<URL> getResources(String name) throws IOException {
@SuppressWarnings("unchecked")
final Enumeration<URL>[] resources = (Enumeration<URL>[]) new Enumeration<?>[] {
Object.class.getClassLoader().getResources(name),
findResources(name),
mOriginAppClassLoader.getResources(name)
};
return new CompoundEnumeration<>(resources);
}
@Keep
class CompoundEnumeration<E> implements Enumeration<E> {
private Enumeration<E>[] enums;
private int index = 0;
public CompoundEnumeration(Enumeration<E>[] enums) {
this.enums = enums;
}
@Override
public boolean hasMoreElements() {
while (index < enums.length) {
if (enums[index] != null && enums[index].hasMoreElements()) {
return true;
}
index++;
}
return false;
}
@Override
public E nextElement() {
if (!hasMoreElements()) {
throw new NoSuchElementException();
}
return enums[index].nextElement();
}
}
}
Android Exception Hook
承接上一篇文章Android Inline Hook,接下来我们看一下android系统中基于异常的hook方式,这种方式与inline hook相比实现较为简单,但执行效率是它的短板。
exception hook的执行流程大致如下:
如图所示,在hook过程中需要多次对hook点指令和hook点的下一条指令进行修改,由此造成在执行效率上的损耗。
首先我们需要将hook点指令替换为一条不合法的异常指令,当程序执行到该位置时进程会接收到信号SIGILL(illegal instruction),然后进入到我们注册的SIgnal Handler中,在信号处理函里我们需要做两件事,一是执行我们的hook逻辑(如修改寄存器的值),二是恢复hook点指令并将hook点指令的下一条指令替换为异常指令,再恢复程序的运行。当程序运行到hook点的下一条指令时会再次触发异常进入信号处理函数,这一次我们需要在信号处理函数中将hook点指令再次替换为异常指令,然后恢复hook点的下一条指令,最后恢复程序运行。
由此可见,我们在信号处理函数中需要对异常的发生位置进行判断,对hook点跟hook点的下一条指令进行区分。当然最重要的是理解Linux系统中的信号机制。
void signal_handler(int signum, siginfo_t *Ssiginfo, void *context)
{
//信号处理函数
ucontext_t *uc = context;
struct sigcontext *sigc = &uc->uc_mcontext; } struct sigaction sig; //initialize the signal set sigemptyset(&sig.sa_mask); //make sigaction.sa_sigaction specifies the //signal-handling function for signum sig.sa_flags = SA_SIGINFO; //attach our handler sig.sa_sigaction = signal_handler; sigaction(SIGILL, &sig, NULL);通过sigaction函数对信号进行注册后我们便可以在信号处理函数中对其进行处理。Linux用户手册中对该函数进行了详细的说明,可参阅:Linux Programmer''s Manual SIGACTION(2)
在信号处理函数中我们可以通过结构体sigcontext获取异常发生时各个寄存器的信息,其定义如下:
struct sigcontext {
unsigned long trap_no; unsigned long error_code; unsigned long oldmask;
unsigned long arm_r0; unsigned long arm_r1; unsigned long arm_r2;
unsigned long arm_r3; unsigned long arm_r4; unsigned long arm_r5;
unsigned long arm_r6; unsigned long arm_r7; unsigned long arm_r8;
unsigned long arm_r9; unsigned long arm_r10; unsigned long arm_fp;
unsigned long arm_ip; unsigned long arm_sp; unsigned long arm_lr;
unsigned long arm_pc; unsigned long arm_cpsr;unsigned long fault_address;
};例如我们可以通过pc寄存器的值确定程序执行的位置。
完整程序如下:
1 #include <assert.h>
2 #include <unistd.h>
3 #include <stdlib.h>
4 #include <stdio.h>
5 #include <signal.h>
6 #include <ucontext.h>
7 #include <sys/mman.h>
8
9 int g_code_type;
10 long g_code_address;
11 uint32_t g_code_origin;
12 uint32_t g_code_next;
13
14 long get_module_addr(pid_t pid, const char *module_name)
15 {
16 FILE *fp;
17 char file_path[256];
18 char file_line[512];
19 if (pid < 0) {
20 snprintf(file_path, sizeof(file_path), "/proc/self/maps");
21 } else {
22 snprintf(file_path, sizeof(file_path), "/proc/%d/maps", pid);
23 }
24 fp = fopen(file_path, "r");
25 if (fp == NULL) {
26 return -1;
27 }
28 long addr_start = -1, addr_end = 0;
29 while (fgets(file_line, sizeof(file_line), fp)) {
30 if (strstr(file_line, module_name)) {
31 if (2 == sscanf(file_line, "%8lx-%8lx", &addr_start, &addr_end)) {
32 break;
33 }
34 }
35 }
36 fclose(fp);
37 return addr_start;
38 }
39
40 bool change_addr_attr(long address, bool writable) {
41 //根据内存页大小对齐
42 long page_size = sysconf(_SC_PAGESIZE);
43 long page_start = address & (~(page_size - 1));
44 if (writable == true) {
45 return mprotect((void*)page_start, page_size, PROT_READ | PROT_WRITE | PROT_EXEC) != -1;
46 } else {
47 return mprotect((void*)page_start, page_size, PROT_READ | PROT_EXEC) != -1;
48 }
49 }
50
51 bool write_code(long address, uint32_t data)
52 {
53 if (change_addr_attr(address, true) == false) {
54 return false;
55 }
56 if (g_code_type == IS_THUMB) {
57 *((uint16_t*)address) = (uint16_t)data;
58 } else {
59 *((uint32_t*)address) = data;
60 }
61 return change_addr_attr(address, false);
62 }
63
64 bool write_ill_instruction(long address, uint32_t *save)
65 {
66 if (g_code_type == IS_THUMB) {
67 *save = *((uint16_t*)address);
68 } else if (g_code_type == IS_ARM) {
69 *save = *((uint32_t*)address);
70 }
71 return write_code(address, 0xFFFFFFFF);
72 }
73
74 static void signal_handler(int signum, siginfo_t *Ssiginfo, void *context)
75 {
76 ucontext_t *uc = context;
77 struct sigcontext *sigc = &uc->uc_mcontext;
78
79 long next_address = g_code_address + (IS_ARM ? 4 : 2);
80
81 if (sigc->arm_pc == g_code_address) {
82 //恢复hook点指令
83 write_code(g_code_address, g_code_origin);
84 //将hook点下一条指令改为异常指令
85 write_ill_instruction(next_address, &g_code_next);
86 } else if (sigc->arm_pc == next_address){
87 //恢复hook点下一条指令
88 write_code(next_address, g_code_next);
89 //将hook点指令改为异常指令
90 write_ill_instruction(g_code_address, &g_code_origin);
91 } else {
92 exit(EXIT_FAILURE);
93 }
94 }
95
96 bool hook_exception_make(const char *library, long address, enum code_type type)
97 {
98 g_code_type = type;
99
100 struct sigaction sig;
101 sigemptyset(&sig.sa_mask);
102 sig.sa_flags = SA_SIGINFO;
103 sig.sa_sigaction = signal_handler;
104 sigaction(SIGILL, &sig, NULL);
105
106 long target_address = get_module_addr(-1, library);
107 g_code_address = target_address + address;
108 return write_ill_instruction(g_code_address, &g_code_origin);
109 }
今天关于Android 进阶答疑:Hook和android hook技术的介绍到此结束,谢谢您的阅读,有关和、androd hook acitivity 启动流程,替换启动的activity(Android Instrumentation)、Android ClassLoader Hook 注入方式、Android Exception Hook等更多相关知识的信息可以在本站进行查询。
本文标签:
